If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

One point that I thought was clear but there seems to be some confusion about. Most web applications are not a single application, but a series of smaller applications working together. (This site for example uses "newreply.php" and "showthread.php" among others, consequently least privilege and RBAC applies even though they may be subcomponents of the same web application.)

chsh, what part of "I do not wish to argue this point with you further" was unclear? You're trolling, that much is clear. You made a point about how minimizing exploits was not the right approach, then flip-flopped after it was pointed out that is all any security mechanism do.
Clearly nothing more can come of this conversation with you. You have made your points and I mine, the readers can decide what they think has value without drawing this out in a round and round conversation.

Juridian:
1. The proposal I made in no way prevents database indexing.
2. The first line of defense starts with the operating system and should be containment. For the scope of this article however it is frequently impractical to apply universal data sanitation to an existing product, especially in an easily auditable manner.
3. Exactly. Unfortunately these are not always availible to users, especially at the shoestring level.
4. True, but unfortunately most web applications out there operate in this manner, and it is simple not feasible for users to rewrite these elements.
5. Also true, however my suggestion was merely to aid confidentiality for specific applications where the security requirements outweighed the performance requirements.

Proper anaylsis and design are important, but again beyond the scope of a shoestring document. Hell the best way to go (with no regard for required resources) is likely to be using a high assurance OS and a high assurance RDBMS with NIC or router level dencryption of secured objects. How useful would that tutorial be?

1) I never said it didn't, I was simply putting my 2 cents in on your point that indexing was useless.

2) Data validation is simple and can be implemented via a shared library or include file and applied to all fields on a website. Creating methods/functions that ensure that your quantity is between 0 and 999, that their name is 30 characters, or that strip out any type of code delimiting characters is retardedly easy (most of this can be found free on the internet if you're not smart enough to do it yourself). Most users do not deal with or care about your os in any way shape or form...it only really directly affects them in the choice of technology used to implement the web application. I said it is the first line because the actual web application interface is the first thing they get their hands on to tweak, hack, or deal with in any way. Why should I do something that grabs attention like screwing with your os security (you're more likely to have auditing and notifications here...) when I can simply tweak a query string or make up my own form for posting data...actions you will most likely not be auditing or notice?

3) All of this is available to users, even at the shoestring level. What is required is the ability to do some basic research and to learn.

Oracle was free on linux last I checked, mysql has been adding features such as stored procedures and views and runs on windows and linux, postgres has them too.

4) Depends on the users technical ability, you also have the ability and need to properly educate yourself if you are purchasing a solution from a third party. Most people don't, but that is besides the point. There are enough resources out there that you can gain a basic understanding of the technology you are purchasing or what it is implemented with so you can figure out whether it uses proper security or not. It takes little brains to open up a php or asp page to see if there is a sql statement included. There is also the option of talking to the application developer/provider directly. If they don't want to work with you to get educated, you probably don't need to be doing business with them.

Proper design and analysis are never out of scope. Whether buying a solution or building one it is in your best interests to do your homework and get/create the appropriate solution.

"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chshBlog of X

Originally posted here by Juridian
[B]1) I never said it didn't, I was simply putting my 2 cents in on your point that indexing was useless.
2) Data validation is simple and can be implemented via a shared library or include file and applied to all fields on a website.

I disagree strongly. Data validation needs to be different on a field-by-field basis, therefore it can't be applied by a "shared library or include file" to a web site.

Stuff like mod_security which checks requests for attacks, has a very large false positive rate on real applications. This annoys users immensely because their data get thrown away (say you typed a post on a forum, only to get back a 403 error from an overeager data validation system).

Another example is the IIS6 ASP.NET request validation system, which is generally overeager and for some applications creates errors.

Creating methods/functions that ensure that your quantity is between 0 and 999, that their name is 30 characters, or that strip out any type of code delimiting characters is retardedly easy

However, applying such routines across the board in an already-existing complex system, is extremely time-consuming and error prone.

Originally posted here by Soda_Popinsky Limiting where the attacks can hit is the point! Isn't it?

In some respects yes, but what I'm saying is that to believe you have fixed a problem merely by limiting where it can occur *when certain permissions are required* is flawed thinking.

Originally posted here by catch One point that I thought was clear but there seems to be some confusion about. Most web applications are not a single application, but a series of smaller applications working together. (This site for example uses &quot;newreply.php&quot; and &quot;showthread.php&quot; among others, consequently least privilege and RBAC applies even though they may be subcomponents of the same web application.)

Actually, this shows your lack of knowledge of general web development best practices, of which vBulletin tries to adhere. Generally, all of these pages INCLUDE the actual code that is being used to interface with the DB, and therefore, there is usually only a few library-style scripts dealing with the database.

chsh, what part of &quot;I do not wish to argue this point with you further&quot; was unclear? You're trolling, that much is clear. You made a point about how minimizing exploits was not the right approach, then flip-flopped after it was pointed out that is all any security mechanism do.

It's all well and good to say you don't wish to argue the point further, but I am allowed to freely post here, so deal with it. What I am doing here is trying to explain to you why you are incorrect in specific thinking as to how webapps are generally written. You bust out your "years of experience" earlier, however they're IME irrelevant when it comes to web software design -- no, ESPECIALLY as pertains to web software. Barring Java Servlets or ASP.NET, almost all web languages I've encountered are written in wholly different ways than regular applications due to the communication medium differences, etc... What it boils down to is, I have experience in this, it is contradictory to some of what you are saying. If that is trolling so be it, I'm a troll. At least I'm a troll with a clue.

Clearly nothing more can come of this conversation with you. You have made your points and I mine, the readers can decide what they think has value without drawing this out in a round and round conversation.

Perhaps you're once again proving the criticisms that have been levelled against you are accurate?

Since I'm now a troll, I can freely say things like:
I'm still waiting for your patch to PHPNuke Catch, I'm looking forward to seeing how long it took you.
Go back to managing your underlings, if you even have any.
And so on...

Originally posted here by slarty I disagree strongly. Data validation needs to be different on a field-by-field basis, therefore it can't be applied by a "shared library or include file" to a web site.

No, it needs to be done on a data type basis, not field by field. At most you would need about maybe 50-60 functions in your average web language, maybe more in others where you are storing serialized object data and so forth.

However, applying such routines across the board in an already-existing complex system, is extremely time-consuming and error prone.

Time consuming, yes. Error prone can be dealt with through testing. You are checking your work, right?

Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?

Originally posted here by slarty I disagree strongly. Data validation needs to be different on a field-by-field basis, therefore it can't be applied by a "shared library or include file" to a web site.

Stuff like mod_security which checks requests for attacks, has a very large false positive rate on real applications. This annoys users immensely because their data get thrown away (say you typed a post on a forum, only to get back a 403 error from an overeager data validation system).

Another example is the IIS6 ASP.NET request validation system, which is generally overeager and for some applications creates errors.

However, applying such routines across the board in an already-existing complex system, is extremely time-consuming and error prone.

Slarty

You can disagree all you like, until you actually evaluate your real needs your opinion isn't worth a drop of piss in a bucket. You don't know what you can re-use and what you can't.

There is alot of base level validation that can be shared in this way. Especially the stuff that strips code delimiting characters that I mentioned, anyplace that takes in text that goes off to some sql or gets stored some place and displayed back to the user needs it.

Asp.net validation is not iis 6, and is completely configurable while you are creating the web app. If you use the components correctly or write your own in the proper manner, you can make it very hard to bust your web app in this manner.

I'm not pulling this stuff out of my ass people, I've been testing, building and auditing web apps for years. I've been doing this for about any db, os, and web app technology imaginable. This is also all the same stuff that groups such as OWASP will tell you.

Applying this type of code to an entire system can be difficult and error prone, if you do not do your homework and handle the project properly. It's still not rocket science. I think it maybe took a month to handle the code and testing the last time I had to do it to a full on e-commerce platform. The time taken depends on your resources at hand, the scope of the application, and is justifiable by people not blatantly ripping you off, DoSing you, limiting fraud, etc.

catch is correct that the CM of the site is important...it is for any app or service. But it isn't the end all be all.

"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chshBlog of X

Originally posted here by chsh In some respects yes, but what I'm saying is that to believe you have fixed a problem merely by limiting where it can occur *when certain permissions are required* is flawed thinking.

Defense in depth suckas.

"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chshBlog of X